From: Ralph Dolmans Date: Fri, 20 May 2016 14:04:27 +0000 (+0000) Subject: - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC signed zones. X-Git-Tag: release-1.5.9rc1~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f39692acc7de3ff834467f3be83ae1ca6e5db646;p=thirdparty%2Funbound.git - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC signed zones. git-svn-id: file:///svn/unbound/trunk@3722 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 0b50a169d..3c8ed60bd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +20 May 2016: Ralph + - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC + signed zones. + 19 May 2016: Wouter - Fix #766: dns64 should synthesize results on timeout/errors. diff --git a/iterator/iterator.c b/iterator/iterator.c index d3022c4a7..c47ee3754 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -2262,28 +2262,37 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, if(iq->minimisation_state != DONOT_MINIMISE_STATE) { /* Best effort qname-minimisation. * Stop minimising and send full query when RCODE - * is not NOERROR */ + * is not NOERROR. */ if(FLAGS_GET_RCODE(iq->response->rep->flags) != LDNS_RCODE_NOERROR) iq->minimisation_state = DONOT_MINIMISE_STATE; - /* Make subrequest to validate intermediate NXDOMAIN if - * harden-below-nxdomain is enabled. */ if(FLAGS_GET_RCODE(iq->response->rep->flags) == - LDNS_RCODE_NXDOMAIN && - qstate->env->cfg->harden_below_nxdomain) { - struct module_qstate* subq = NULL; - log_query_info(VERB_QUERY, - "schedule NXDOMAIN validation:", - &iq->response->qinfo); - if(!generate_sub_request( - iq->response->qinfo.qname, - iq->response->qinfo.qname_len, - iq->response->qinfo.qtype, - iq->response->qinfo.qclass, - qstate, id, iq, INIT_REQUEST_STATE, - FINISHED_STATE, &subq, 1)) { - verbose(VERB_ALGO, - "could not validate NXDOMAIN response"); + LDNS_RCODE_NXDOMAIN) { + /* Stop resolving when NXDOMAIN is DNSSEC + * signed. Based on assumption that namservers + * serving signed zones do not return NXDOMAIN + * for empty-non-terminals. */ + if(iq->dnssec_expected) + return final_state(iq); + /* Make subrequest to validate intermediate + * NXDOMAIN if harden-below-nxdomain is + * enabled. */ + if(qstate->env->cfg->harden_below_nxdomain) { + struct module_qstate* subq = NULL; + log_query_info(VERB_QUERY, + "schedule NXDOMAIN validation:", + &iq->response->qinfo); + if(!generate_sub_request( + iq->response->qinfo.qname, + iq->response->qinfo.qname_len, + iq->response->qinfo.qtype, + iq->response->qinfo.qclass, + qstate, id, iq, + INIT_REQUEST_STATE, + FINISHED_STATE, &subq, 1)) + verbose(VERB_ALGO, + "could not validate NXDOMAIN " + "response"); } } return next_state(iq, QUERYTARGETS_STATE);